Re: [Acegisecurity-developer] persisting Permission

[Andrei Sereda]

Hi Ben,

thank you for your response.

I would have a couple of comments to your answers:

1)  PermissionConverter (or PermissionBuilder) should look something like:

Since we expect people to inject their own Permission(s) one doesn't
know the exact implementation class, thus it needs to be provided.
Also the converter should tell us if it can perform the convertion.

public interface PermissionConverter {
  public Permission buildFromMask(Class permissionClass, int mask)
throws NotSupportedPermission;
  public boolean supports(Class permissionClass);

  // better ??
  //public boolean supports(Class permissionClass, int mask);
}

2) Mask checking
Bit-wise checking doesn't exlcude the possibility of having many
Permission(s) assigned to a domain object so there is no limit of 32
permission types.

Let me give you a use case. Suppose we have 3 types of permissions
READ (1), WRITE (2) and ADMIN (3). ADMIN = READ + WRITE. With current
implementation to check that a Sid has ADMIN rights to a domain object
we have to do:

check(ADMIN) || ( check(READ)  check(WRITE) )

Every check() call is a potential DB call, much more expensive than a
bit comparison.

Let me know what you think.

Thanks,
Andrei.


On 2/11/07, Ben Alex [EMAIL PROTECTED] wrote:
 Andrei Sereda wrote:
  Hello Team,
 
  One quick question: is it possible to persist different permissions in
  current acegi implementation (acls package) ? It seems to me that only
  BasePermission is supported out of the box (see BasicLookupStrategy
  convertCurrentResultIntoObject() method) . What if I have my own
  PermissionA and PermissionB (they can be granted to the same domain
  object) ?
 
  Is new column (permission_class) in acl_entry table needed to have
  this functionality?
 
  Am I missing something ?

 Hi Andrei

 Interesting questions, and I'm delighted you're trying out the new ACL
 package and provide much-needed feedback.

 I agree it's necessary to provide some more sophisticated way of
 allowing custom Permission instances to be returned and included in the
 generated AclImpl. As such, perhaps we could change BasicLookupStrategy
 so it uses a new interface:

 public interface PermissionConverter {
   public Permission buildPermissionFromMask(int mask);
 }

 This would be used instead of the following line:

 Permission permission = BasePermission.buildFromMask(rs.getInt(MASK));

 As such, it should provide you a way to return any type of Permission
 instance you wish.

 Regarding your other question on mask checking, this one is by design. I
 used some of the ideas from the Windows ACL subsystem, and it operates
 this way. One benefit of the existing approach is we can have as many
 permission _combinations_ as we like, whereas considering bits
 individually limits us to 32 distinct permissions for an application
 only. Using combinations also simplifies permission blocking logic. To
 resolve your requirement, you have two basic options:

 1. Add individual permission entries to a single domain object. This
 would increase database rows, naturally.

 2. Add cumulative permission masks to your AclEntryVoter etc
 configurations. This would increase XML, but we could mitigate that to a
 large extent with proper namespace support.

 I am not entirely opposed to AclImpl using a new strategy interface that
 provides the isGranted(Permission[] permission, Sid[] sids, boolean
 administrativeMode) response. However, doing so would mean any
 administrative tools or other extensions that people might build for the
 ACL package would become bound to whatever approach that strategy used.
 I'm therefore leaning slightly towards not providing the flexibility of
 custom ACL, as I don't believe the second option above is too onerous.
 Your comments on this are welcome, of course.

 Cheers
 Ben

 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier.
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net

Re: [Acegisecurity-developer] persisting Permission

[Ben Alex]

Andrei Sereda wrote:
 Hello Team,
 
 One quick question: is it possible to persist different permissions in
 current acegi implementation (acls package) ? It seems to me that only
 BasePermission is supported out of the box (see BasicLookupStrategy
 convertCurrentResultIntoObject() method) . What if I have my own
 PermissionA and PermissionB (they can be granted to the same domain
 object) ?
 
 Is new column (permission_class) in acl_entry table needed to have
 this functionality?
 
 Am I missing something ?

Hi Andrei

Interesting questions, and I'm delighted you're trying out the new ACL
package and provide much-needed feedback.

I agree it's necessary to provide some more sophisticated way of
allowing custom Permission instances to be returned and included in the
generated AclImpl. As such, perhaps we could change BasicLookupStrategy
so it uses a new interface:

public interface PermissionConverter {
  public Permission buildPermissionFromMask(int mask);
}

This would be used instead of the following line:

Permission permission = BasePermission.buildFromMask(rs.getInt(MASK));

As such, it should provide you a way to return any type of Permission
instance you wish.

Regarding your other question on mask checking, this one is by design. I
used some of the ideas from the Windows ACL subsystem, and it operates
this way. One benefit of the existing approach is we can have as many
permission _combinations_ as we like, whereas considering bits
individually limits us to 32 distinct permissions for an application
only. Using combinations also simplifies permission blocking logic. To
resolve your requirement, you have two basic options:

1. Add individual permission entries to a single domain object. This
would increase database rows, naturally.

2. Add cumulative permission masks to your AclEntryVoter etc
configurations. This would increase XML, but we could mitigate that to a
large extent with proper namespace support.

I am not entirely opposed to AclImpl using a new strategy interface that
provides the isGranted(Permission[] permission, Sid[] sids, boolean
administrativeMode) response. However, doing so would mean any
administrative tools or other extensions that people might build for the
ACL package would become bound to whatever approach that strategy used.
I'm therefore leaning slightly towards not providing the flexibility of
custom ACL, as I don't believe the second option above is too onerous.
Your comments on this are welcome, of course.

Cheers
Ben

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer