I think everyone needs to step back just a bit. Yes, some code was
written, but nothing that drastically changes anything. Actually, I
paid very close attention to make sure that this could sit on the side
lines so it could be evaluated. Very little effort has been put into
the real work of migrating the applications, but that is going to
change soon...
So, instead of discussing what should or should not have been done,
look at the fact that this entire effort is sitting in the community's
lap right this minute. But instead of reviewing what is there,
pointing out weaknesses offering suggestions or anything constructive
at all, the discussion is solely around whether or not code should
have been implemented or not. Let's face it, these documents have been
in front of you for over a week, and there was not a single objection
or concern raised until today. I have only a limited amount of free
time, and if I am going to following this effort through to the end,
it needs to have a steady progression. So to be frank, get over it.
Code is being worked on actively for this effort, and I am expecting
more involvement as soon as the API is finalized. That said, if you do
have something to add, wish to see or just want to be involved, now is
the time to be proactive! Otherwise the effort will push forward with
the people who are indeed interested in improving security in OFBiz.
Andrew
On May 1, 2009, at 8:38 PM, Adrian Crum wrote:
--- On Fri, 5/1/09, Scott Gray <scott.g...@hotwaxmedia.com> wrote:
Some of these questions in the discussions so far give me
the feeling that the write up Andrew put in confluence
hasn't been read, is that the case?
Anyway I'm a +1 for the new auth framework, I think it
give us more power AND simplicity. Will it need improvement
over time? of course it will but I think it's a much
better base to work from.
I don't know if you were around at the time, but I was. One of the
"weaknesses" Andrew is trying to fix with this latest effort is the
permissions services - another design he introduced a couple years
ago. Everyone went along with it and re-wrote code to use service
permissions. (I spent several weekends just converting the
accounting component over to the new security implementation). Now
we're being told "Oops, that design is limited, let me try again."
Why would anyone have any objection to opening this up to the
community before we start writing code? Maybe there are others who
see weaknesses in the new design. Give them a chance to offer input.
-Adrian
