Re: Discussion: Security-Aware Artifacts
David E Jones wrote: On Dec 30, 2009, at 4:48 PM, Adrian Crum wrote: The security-aware artifacts implementation is nearly complete. The branch is out of date and I can't get it synchronized with the trunk because there are too many conflicts. I would like to create a new branch and port the security-aware artifacts implementation over to that. Any objections? Nope, sounds good. Just be sure to give us all some good time to test and review it once it is complete in that branch and before adding it to the trunk. Of course! Not only do I welcome review and testing, I really NEED it. I don't have a lot of time to work on it. My hope is, once it is basically working, others may take an interest in it and get involved. -Adrian
Re: Discussion: Security-Aware Artifacts
I am interested in reviewing this work. I think there may be some overlap on how we decided to apply security in our ofbiz based system. In brief, what we did was put security checks at the service definition and then at presentment artifact load time, we triggered a security application visitor that would walk the model and woudl transform those artifacts with additional security checks before caching it. The result was that if you have a service that requires PARTYMGR_UPDATE anything that calls that service (directly or indirectly) would be automatically wrapped with the appropriate security check. This caused buttons, links, forms, and the like to be snipped from rendering via the security check. At transformation time it would roll those security checks up causing ensure areas of the application to be snipped. Adrian Crum wrote: David E Jones wrote: On Dec 30, 2009, at 4:48 PM, Adrian Crum wrote: The security-aware artifacts implementation is nearly complete. The branch is out of date and I can't get it synchronized with the trunk because there are too many conflicts. I would like to create a new branch and port the security-aware artifacts implementation over to that. Any objections? Nope, sounds good. Just be sure to give us all some good time to test and review it once it is complete in that branch and before adding it to the trunk. Of course! Not only do I welcome review and testing, I really NEED it. I don't have a lot of time to work on it. My hope is, once it is basically working, others may take an interest in it and get involved. -Adrian -- View this message in context: http://n4.nabble.com/Discussion-Security-Aware-Artifacts-tp991181p991495.html Sent from the OFBiz - Dev mailing list archive at Nabble.com.
Re: Discussion: Security-Aware Artifacts
The branch implements the design specified in this document: http://cwiki.apache.org/confluence/display/OFBTECH/OFBiz+Security+Redesign -Adrian Bob Morley wrote: I am interested in reviewing this work. I think there may be some overlap on how we decided to apply security in our ofbiz based system. In brief, what we did was put security checks at the service definition and then at presentment artifact load time, we triggered a security application visitor that would walk the model and woudl transform those artifacts with additional security checks before caching it. The result was that if you have a service that requires PARTYMGR_UPDATE anything that calls that service (directly or indirectly) would be automatically wrapped with the appropriate security check. This caused buttons, links, forms, and the like to be snipped from rendering via the security check. At transformation time it would roll those security checks up causing ensure areas of the application to be snipped. Adrian Crum wrote: David E Jones wrote: On Dec 30, 2009, at 4:48 PM, Adrian Crum wrote: The security-aware artifacts implementation is nearly complete. The branch is out of date and I can't get it synchronized with the trunk because there are too many conflicts. I would like to create a new branch and port the security-aware artifacts implementation over to that. Any objections? Nope, sounds good. Just be sure to give us all some good time to test and review it once it is complete in that branch and before adding it to the trunk. Of course! Not only do I welcome review and testing, I really NEED it. I don't have a lot of time to work on it. My hope is, once it is basically working, others may take an interest in it and get involved. -Adrian
Re: Discussion: Security-Aware Artifacts
Not a problem from my POV. Thanks for your continued work on this Adrian! Jacques From: Adrian Crum adri...@hlmksw.com The security-aware artifacts implementation is nearly complete. The branch is out of date and I can't get it synchronized with the trunk because there are too many conflicts. I would like to create a new branch and port the security-aware artifacts implementation over to that. Any objections? -Adrian
Re: Discussion: Security-Aware Artifacts
On Dec 30, 2009, at 4:48 PM, Adrian Crum wrote: The security-aware artifacts implementation is nearly complete. The branch is out of date and I can't get it synchronized with the trunk because there are too many conflicts. I would like to create a new branch and port the security-aware artifacts implementation over to that. Any objections? Nope, sounds good. Just be sure to give us all some good time to test and review it once it is complete in that branch and before adding it to the trunk. -David
Re: Discussion: Security-Aware Artifacts
All that means is that artifacts aren't forced to use only the common create, update, and delete permissions. As was suggested in the design, a service could have an access permission, entities could have a filter permission, etc. -Adrian --- On Sat, 5/16/09, Bruno Busco bruno.bu...@gmail.com wrote: From: Bruno Busco bruno.bu...@gmail.com Subject: Re: Discussion: Security-Aware Artifacts To: dev@ofbiz.apache.org Date: Saturday, May 16, 2009, 10:33 PM Adrian, I added a comment on the Wiki page. I forward it here... --- That's really cool! I can't wait to see it working! BTW I can see in the design that an artifact can define an own specific permission. May be adding a scenario like: User X can perform the artifact Y-specific operation W on the artifact Y could be helpfull. How the artifact will add its own specific permission? Posted by Bruno Busco http://docs.ofbiz.org/display/%7Ebruno.busco at May 16, 2009 11:14 | Permalinkhttp://docs.ofbiz.org/display/OFBTECH/OFBiz+Security+Refactor?focusedCommentId=8091#comment-8091 --- Thank you, Bruno 2009/5/16 Adrian Crum adrian.c...@yahoo.com This is a continuation of the security refactoring discussion. There is a Wiki page that outlines the design of Security-Aware Artifacts: http://docs.ofbiz.org/x/Ch8 I started to build out the scenarios, so that we can be sure the design meets everyone's needs as expected. David - I'm not sure where each scenario is currently implemented. If there is a current implementation you had in mind, please let me know and I will update the page. David - I'm not real clear on your dynamic hierarchy design, so I tried to guess how it works in the scenario pages. Let me know if I'm wrong. Just give me a clear example of how it works (keep in mind I'm not inside your head) and I will update the pages. Developers - please review and comment. This will effect everyone. -Adrian
Re: Discussion: Security-Aware Artifacts
Adrian, I added a comment on the Wiki page. I forward it here... --- That's really cool! I can't wait to see it working! BTW I can see in the design that an artifact can define an own specific permission. May be adding a scenario like: User X can perform the artifact Y-specific operation W on the artifact Y could be helpfull. How the artifact will add its own specific permission? Posted by Bruno Busco http://docs.ofbiz.org/display/%7Ebruno.busco at May 16, 2009 11:14 | Permalinkhttp://docs.ofbiz.org/display/OFBTECH/OFBiz+Security+Refactor?focusedCommentId=8091#comment-8091 --- Thank you, Bruno 2009/5/16 Adrian Crum adrian.c...@yahoo.com This is a continuation of the security refactoring discussion. There is a Wiki page that outlines the design of Security-Aware Artifacts: http://docs.ofbiz.org/x/Ch8 I started to build out the scenarios, so that we can be sure the design meets everyone's needs as expected. David - I'm not sure where each scenario is currently implemented. If there is a current implementation you had in mind, please let me know and I will update the page. David - I'm not real clear on your dynamic hierarchy design, so I tried to guess how it works in the scenario pages. Let me know if I'm wrong. Just give me a clear example of how it works (keep in mind I'm not inside your head) and I will update the pages. Developers - please review and comment. This will effect everyone. -Adrian