Re: using my own DB

[Shay Matasaro]

yep, i agree fully,

based on all comments , ill revise my initial "requirements" .
i am talking about a very specific situation.

1) the application is new
2) data store is RDBMS
3)  Group as a collection of User objects
4) Role as a collection of Permission objects.
5) users can also have permissions
6) Groups can have roles

the nice thing about this approach is that it doesn't force you to use 
roles or groups since permissions are supported on both , you don't even 
have to use either of them , because a user can have permissions.

Shay


Jeremy Haile wrote:
Yeah - I think usages of JSecurity (or any framework for that matter) 
fall into two categories:  1) Using it on a new app  2) Migrating an 
existing app to use it.  I think having a full model, DAOs, UI, etc. 
would be great for category #1, but could be overly limiting for 
category #2.  If we provide this as part of JSecurity, I would 
separate it out into jsecurity-core (which is suitable for both 
categories) and a separate extension for JSecurity that would provide 
you with out-of-the-box data structures, DAOs, UI, etc.  This would be 
more useful to get new apps up and running.  I definitely don't think 
this kind of stuff would be a part of jsecurity-core though.


On Feb 26, 2009, at 2:45 PM, Shay Matasaro wrote:

Hi Jeremy,

Yep in my mind its all about getting to production as fast as 
possible, and dealing with the specifics problems of an application's 
context.

To me , security falls into the same core services as logging , or DB 
pooling, the basic aspects should  just work out of the box....... in 
a perfect world that is ;)

Shay


Jeremy Haile wrote:
Shay,

For a while I've wanted to create an optional addition to JSecurity 
that would provide some out-of-the-box interfaces, simple DAOs, and 
a webapp for managing users/roles/permissions.  Complex apps may 
want to eventually build their own data structures or UI, but I 
think having this in place could help a lot of new projects get up 
and running with security much faster.  Haven't gotten around to it 
yet though...

Jeremy



On Feb 26, 2009, at 2:13 PM, Shay Matasaro wrote:

Hi Les,

hmmm... i might be missing something again , but :

the framework already defines an exiting object model which 
includes principals , roles , groups ,  permissions , tokens , etc ...

the aspects for querying them are well defined , how does defining 
aspects for creating , updating and deleting them  , limits 
implementation?

i am also going to make a very bold statement , and say that any 
application that requires row-level or method level access control 
, will have core requirements that include roles , groups , 
permissions, etc..., and CRUD operations for all of them.

i am not sure that one size fits all is the best option.

Take my case for example I'm writing a new app from scratch; no 
legacy , no limitations , i just don't  want to write again the 
same code that i wrote numerous times before for other companies , 
which ends up looking identical.

please don't take my comments as any kind of criticisms with 
regards to JSecurity , it is a great library, and much better then 
anything out there , including Acegi; I'm just trying to encourage  
discussion and maybe affect the roadmap.

there is always the valid option that i might have defined my 
requirements in the wrong way , in which case , i hope that this 
discussion will point me in the right way.

thanks,
Shay




Les Hazlewood wrote:
Also, on the Object data model front - we definitely cannot 
enforce an Object model on end users.  Legacy systems, 3rd party 
APIs, and different developers viewpoints would make this very 
impractical - most people would never want to implement those 
interfaces, plus it would force an API lock-in of JSecurity into 
your data model (not good - violates the Low Coupling/High 
Cohesion principal).

But this is why the sample apps exist - to show people how the 
JSecurity developers prefer writing our own applications and data 
models.  You can choose to mirror your data model against what we 
use in the samples if you like, but we can't force one :/

Regards,

Les

On Thu, Feb 26, 2009 at 12:41 PM, Shay Matasaro 
<matas...@gmail.com <mailto:matas...@gmail.com>> wrote:

  Thanks for the replies guys.

  so its up to me to implement all permissions related aspects
  including wildcards , and instance levels ones, seems a bit 
tricky ?


  I think that the end goal for a security framework should include
  top to bottom interfaces and *Object *data model (definitely not
  table schemes , just class and interface definitions) , this
  approach would still allow developers to wire the framework to any
  data storage, but the model will enforce proper architecture.

  for an experienced developer some of these design decisions ,
  might look simple , but junior and intermediate devs require some
  guidelines especially when doing first time implementations.



  Thanks,
  Shay


  Les Hazlewood wrote:

      Hi Shay,

      Daniel is correct.  Data models (users, groups, roles,
      permissions, etc, etc) vary widely across applications -
      JSecurity can't, and shouldn't, expect or enforce data model
      APIs on framework end-users.

      So, the Realms perform simple translation from an
      application's data model to what JSecurity expects, in the
      form of AuthenticationInfo and AuthorizationInfo return values
      that JSecurity does understand.

      When writing an application, I do all CRUD operations for
      security data - users, roles, etc in a different place - e.g.
      a UserManager.  The Realm implementation just delegates to the
      UserManager (or similar) to get the data necessary for
      JSecurity, then transforms it as necessary, and returns it.
       It stays read-only while the UserManager does 
read/write/update.
      Your Realm can interact with a datasource directly too if you
      want - it is up to you.  I just choose to delegate since the
      UserManager already has a DAO that interacts with the
      datasource - no need for me to use the datasource APIs in two
      different places.  But it is still your choice dependening on
      your needs/desires.

      If you want a head-start in creating your own data model that
      will work very well, either with or without JSecurity, take a
      look at the Spring/Hibernate sample application that ships
      with JSecurity's distribution.  It has User, Role, and
      Permission objects all queried/saved by Hibernate.  Even if
      you don't use Hibernate, the data model in that sample app
      will give you ideas.

      Cheers,

      Les

      On Thu, Feb 26, 2009 at 10:50 AM, Daniel J. Lauk
      <daniel.l...@gmail.com <mailto:daniel.l...@gmail.com>
      <mailto:daniel.l...@gmail.com <mailto:daniel.l...@gmail.com>>>
      wrote:

         Hello, Shay.

         AFAIK the JSecurity framework only provides interfaces for
      "consuming"
         (=reading) information.
         (Side note: I'm not sure, if the DAO pattern considers
      write access in
         the first place)

         Of course, when you write your implementation of the
         org.jsecurity.realm.Realm interface you can add such
      functionality to
         your implementing class.

         Cheers,
         DJ

         2009/2/26 Shay Matasaro <matas...@gmail.com
      <mailto:matas...@gmail.com>
         <mailto:matas...@gmail.com <mailto:matas...@gmail.com>>>:

         > Hi Les,
         >
         > Thank you for the prompt reply.
         >
         > i have been reviewing all Realm implementations , but I am
         obviously missing
         > something , since implementing a custom realm only 
requires
         implementing 2
         > DB queries.
         >
         > what i don't see , is where does the DB persistence take
      place ,
         i.e.
         > persisting new users, roles, groups , permissions; I
      assume that
         i need to
         > implements all of these, by extending existing classes.
         >
         > do i have to implement my own token, user, account, role,
      group
         , etc..?
         > or are there specific extension point that i can hook
      into , without
         > overriding the whole model?
         >
         >
         > Thanks,
         > Shay
         >
         >
         >
         > Les Hazlewood wrote:
         >>
         >> Hi Shay,
         >>
         >> JSecurity can use any data source - it does that by 
wrapping
         access to
         >> that data source in a Realm implementation:
         >>
         >> 
http://www.jsecurity.org/api/org/jsecurity/realm/Realm.html
         >>
         >> A Realm is essentially a security-specific DAO, so you 
can
         communicate
         >> with any back-end you need.  Check out the Sample
      applications
         in the
         >> JSecurity distribution, as well as some of the Realm
         implementations here:
         >>
         >>
         >>
                
http://svn.apache.org/repos/asf/incubator/jsecurity/trunk/core/src/org/jsecurity/realm/ 

         >>
         >> Look at the text, jndi, ldap sub packages for ideas, as
      well as
         the sample
         >> applications that ship with JSecurity's distribution.
         >>
         >> I hope that helps!
         >>
         >> Cheers,
         >>
         >> Les
         >>
         >> On Thu, Feb 26, 2009 at 8:53 AM, Shay Matasaro
         <matas...@gmail.com <mailto:matas...@gmail.com>
      <mailto:matas...@gmail.com <mailto:matas...@gmail.com>>
         >> <mailto:matas...@gmail.com <mailto:matas...@gmail.com>
      <mailto:matas...@gmail.com <mailto:matas...@gmail.com>>>> 
wrote:
         >>
         >>    Hi All,
         >>
         >>    I ran into JSecurity yesterday and it  looks very
      promising, i'd
         >>    like to add it to my web service application.
         >>
         >>    The only hurdle to cross is the fact that my app uses
      its own
         >>     "object oriented DB" ; i would therefore like to
      customize
         >>    Jsecurity to use our own data layer.
         >>
         >>    is it possible to customize just the low-level db
      access , and
         >>    allow JSecurity to maintain all the great features
      that it
         offers
         >>    without rewriting all aspects?
         >>
         >>    if so what is the bare minimum list of objects and
         interfaces that
         >>    i need to extend in order to achieve that goal 
(this is a
         new app
         >>    , so i don't have to align with any existing table
      schema).
         >>
         >>    To the project developers , Great Job!  , the library
      seems very
         >>    simple and easy to use, and after messing about with
      JAAS for
         >>    awhile , i can really value simplicity.
         >>
         >>    Thanks,
         >>    Shay
         >>
         >>
         >>
         >>
         >
         >