Hi Rupert, Thanks for your comments.
1. It is possible to do this via the User Management tab on the felix webconsole. While this seems to be already easier than the old way of setting the webconsole platform a new version is on the way. 2. I agree that there should be some documentation on how to configure users and roles. What Bundlelist to include seems quite self-evident (we don't have this info for the other modules) 3. Basically module developer need to know nothing Stanbol specific. I summarized the most important java security bits on http://mail-archives.apache.org/mod_mbox/incubator-stanbol-dev/201209.mbox/%3ccalvhueusmj3cidq28pf9_te67jcvdx48jrpg1eqlqxsoyg3...@mail.gmail.com%3E. Should I place this on the wiki? 4. Creating an own module seems overkill an pointless as the module checking requiring the permissions would require the module and on the hand the module by itself would be of no value. 5. It is up to the modules to decide what permission they require so it should be in the respective tests to check for them, if they shouldn't require any permission then we should just make sure security is enabled when the integration tests run. My proposal is just to enable security by default if the respective bundles are there, this would allow developers to see how their bundles behave in a secure contexts. This isn't just the case for the stanbol launcher but also for most application servers. So enabling security in the full launcher helps developer have their modules portable. I've fixed some security bugs in engines and content-hub which would have prevented them to be usable Java 2 security enabled application servers. Do you see any concrete disadvantage in this? Cheers, Reto On Fri, Nov 30, 2012 at 6:15 AM, Rupert Westenthaler < [email protected]> wrote: > Hi all > > Regarding Security I am missing the following things: > > 1. HOWTO configure users and passwords: I would like to have the > possibility to do that via the Felix Webconsole (e.g. an own Stanbol > User Management and/or Stanbol Security tab). This is simple because > that will be the place where users will look first. So even if that is > not possible I would suggest to add such an tab that shows the > description of how to do it. > > 2. User Documentation: On the Webpage there should be an own Section > for Security: What launchers support it. What Bundlelists to include. > How to configure ... > > 3. Developer Documentation: How to add higher level Permissions to an > Stanbol Component. With an example and Walk through. The best would be > an example for an EnhancementEngine. > > 4. Definition/Implementation of Stanbol Component specific Permissions > in own modules (e.g. a module like o.a.s.enhancer.security) that > contains Permissions (and other useful stuff) relevant for the Stanbol > Enhancer (e.g Execute Enhancement Engine, Enhance Content for > Language, Enhance Content Item with a maximum size ...) > > 5. Integration tests that test security > > If those things would be available I would feel much better to vote > about Security. Because currently my understanding is on a very > abstract level (based on the discussion of the thread already linked > by Fabian [1] > > > best > Rupert > > > [1] http://markmail.org/message/yamwhcla3b2j4onj > > > -- > | Rupert Westenthaler [email protected] > | Bodenlehenstraße 11 ++43-699-11108907 > | A-5500 Bischofshofen >
