Hi Burrow, yes, I think you are right. Stefan
Warwick Burrows wrote:
Hi Stefan,
Ok so we will actually have something like this?
/history/h1 [Fred.doc] 1st doc /history/h2 [Barney.doc] 2nd doc . . . /history/1/h1 [Benny.doc] 11th doc /history/1/h2 [Jack.doc] 12th doc /history/1/h3 [Jill.doc] 13th doc . . . /history/1/2/h2 [Nigella.doc] 122nd doc /history/1/2/h3 [Nigel.doc] 123rd doc
Ie. the "leaf" nodes of the folder structure that represent the history folders (and not just containers) of the hierarchy are always named "h?" where "?" is their history file number MOD 10. The dirs names in between are numbered with no letters? In this case then if I want to delete Fred.doc then I will only delete /history/h1 so this hack will still work for me.
Thanks, Warwick
-----Original Message-----
From: Stefan Lützkendorf [mailto:[EMAIL PROTECTED] Sent: Monday, August 30, 2004 11:22 AM
To: Slide Users Mailing List
Subject: Re: AW: A question on security configuration
Seems I was not exact, the history urls with hack have the form
/history/1/h2 (instead of /history/1/2) /history/1/2/h3 (instead of /history/1/2/3)
so you wont delete other histories if you delete a slingle one, I think.
Stefan
Ingo Brunberg wrote:
Right, you are finding and deleting the history folder that corresponds to it. That means you will find and delete only /history/1/2/3 for example and not /history/1.
Think about it, Ingo
Hi Stefan,
When I delete a file from my application I am currently finding and = deleting the history folder that corresponds to it. So if the file I'm deleting corresponds to /history/1 then I recursively delete /history/1. I recursively delete it because the Slide server does not allow me to = delete
individual history version files only the whole subdirectory. But if I
enabled this hack then I could also be deleting the history files of =
other
unrelated files is that correct? Ie. there could be a file with the =
history
file /history/1/2 and another with /history/1/2/3 ? I would like to =
improve
my performance but it looks like it wouldn't work in my case as it =
would be
deleting possibly many other files along with the history I =
specifically
want to delete?
Thanks, Warwick
-----Original Message----- From: Stefan L=FCtzkendorf [mailto:[EMAIL PROTECTED] Sent: Monday, August 30, 2004 8:44 AM To: Slide Users Mailing List Subject: Re: AW: A question on security configuration
try
<parameter name=3D"history-collection-hack">true</parameter> in your=20 namespace configuration to enable this hack.
Without this hack for each versioned resource a version resource = history=20 collection is created that exists directly under /history. e.g.=20 /history/1, /history/2 ... /history/1213212 yo if you have a lot of=20 versiond resources that /history collection will be large ... and slide =
has performance issures with large collections.
With that hack the versioned resource history collection will look like /history/1/2/1/3/2/1/2 instread of /history/121321. so the size of the=20 collections is limited to 10 (or 9?). But of cource you will have lot=20 of colletion objects. (so I would prefer a number grater than 10)
It's not nicest possible solution, that's why it's called a hack (:-).
regards, Stefan
Florey, Daniel wrote:
Hi,
unfortunately I don't know how to turn this hack on. You have to=20 search the sources for something like history hack or similar. I=20 remember that it only affects the history folder itself, not each=20 folder as these are representing the structure that is created by the =
user. So turning this hack on means to speed up slide but to decrease =
the readability of the history folder as subfolders get automatically =
created. Cheers, Daniel
=20
________________________________
=20
Von: Ritu Kedia [mailto:[EMAIL PROTECTED]
Gesendet: Mo 30.08.2004 11:49
An: 'Slide Users Mailing List'
Betreff: RE: A question on security configuration
=20
=20
=20
Hi Daniel,
=20
I didn't quite understand what the hack really does. Could you please =
explain it again...
=20
Also does this hack apply only to the history folder or any other=20 folder which has a large no. of children? =20
It is available from which version of Slide and how do I configure =
it?
=20
Thanks and Regards,
Ritu
=20
=20
-----Original Message-----
From: Florey, Daniel [mailto:[EMAIL PROTECTED]
Sent: Monday, August 30, 2004 3:10 PM
To: Slide Users Mailing List
Subject: AW: A question on security configuration
=20
=20
Hi,
as far as I'm aware of, Slide has performance problems with huge=20 directories. This is caused by the propfind that needs to touch each=20 child resource and as such is very slow if a folder has many =
children.=20
There is a hack that prevents this in the history folder so that a=20 nested structure with 10 children in each folder gets automatically=20 created. So this should be switched on if you are dealing with many=20 files as they otherwise will let you history folder contain many=20 children. Cheers, Daniel =20
________________________________
=20
Von: Ritu Kedia [mailto:[EMAIL PROTECTED]
Gesendet: Mo 30.08.2004 11:18
An: 'Slide Users Mailing List'
Betreff: RE: A question on security configuration
=20
=20
=20
Hi Andreas,
=20
My application does use Slide's WebDAV Client Lib for communicating=20
with Slide. So yes, both the direct access(via Word) and the access=20
from my application are via WebDAV. I want to disable slide security=20
checks in the direct access mode....I would most likely use James'=20 cluster refresh solution along with custom security implementation... =20 With reference to what you pointed below regarding performance issues =
with DeltaV turned on: Have you already faced a problem with that? If =
yes, then what is the nature of the performance problem? Is it just=20 due to security checks or does it exist even with security turned off =
(i.e. for puts, checkin-checkout, etc)?
=20
I use DeltaV with both auto-versioning and security turned off. But I =
version every file in the system. Do you see any issues with the=20 versioning once the # of files in the repository has gone above a=20 particular limit? (I delete the version history when a file is=20
deleted)
=20
Thanks for your comments.
Regards,
Ritu
=20
-----Original Message-----
From: Andreas Probst [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 28, 2004 2:53 AM
To: Slide Users Mailing List
Subject: RE: A question on security configuration
=20
=20
On 27 Aug 2004 at 13:19, Ritu Kedia wrote:
=20
=20
:( ... The distinguishing factor in my requests is neither the user=20 credential nor the resource being accessed. The same user should be=20 able
=20 to =20
access the Slide Repository either via my WebService or via=20 MS-Word/Excel/etc. I.e. The same user could access the same resource=20 in either mode. When accessed via WebService, my application is doing =
the authorization. When accessed directly, I would have to override=20 the
=20 default =20
slide security implementation with my custom implementation.
=20
=20
Can't you develop your HTTP application as a WebDAV client talking to =
Slide. You would use the login name and the password of the HTTP user =
to connect to Slide via WebDAV. So the information about who did the=20 PUTs etc. wouldn't be lost. You would not need to implement the=20 Security yourself. WebDAV users
(Word) would talk to Slide directly.
=20
Actually checking the security stuff is not that expensive, although=20 this probably depends on the number of ACLs on the path. You should =
be=20
more concerned about performance when you get big directories, i.e.=20 with more than thousand children. If you use DeltaV the /history=20 folder could become a performance issue very soon. =20
Maybe you've already explained why this is not possible for you, if =
so=20
please excuse this remark... =20 Regards, =20 Andreas =20 =20
I think I would have to try the clustering solution only with my=20 custom security implementation (since the direct slide access should=20 also follow the same security checks as done in my application). But =
I=20
won't be able
=20 to =20
get to it may be for another month.
A couple of questions regarding custom security implementation... 1.=20 Is the security implementation class configurable via Domain.xml?=20 There is a security store configuration in Domain.xml but I haven't=20 seen the
=20 entry =20
for the security helper class.
2. Which methods would have to be implemented if I am interested only =
in
=20 the =20
authorization checks and not the assignments?
Thanks, Ritu
-----Original Message----- From: James Mason [mailto:[EMAIL PROTECTED] Sent: Friday, August 27, 2004 11:44 AM To: Slide Users Mailing List Subject: Re: A question on security configuration
Done a little more thinking about this. I think separate namespaces=20 sounds like a good idea, but there may be a problem. Since the Store=20 configurations are per-namespace it's likely that the ExtendedStore=20 cache will be per namespace as well. If this is the case then you're=20 back to a situation where you'll need clustering to keep the caches =
in=20
sync. Unless you really want everything to run in the same webapp=20 you'd probably be better off just running a cluster with two nodes.
Stefan's suggestion gave me an idea, though (several actually). What=20 you really need is a way to bypass the security checks in =
SecurityImpl=20
based on some aspect of the request. I went through several ideas=20 involving extending WebdavServelt or Domain to provide different=20 NamespaceAccessTokens with different Security implementations based =
on=20
where the request came from. This should be viable, but as I was=20 writing this I realized that simply providing your own Security=20 implementation that always returned true for a specific user should =
be=20
enough. You'll still need to authenticate to the app server as that=20 user, but since the Security implementation doesn't actually do any=20 checking it should speed things up. For requests that aren't from the =
special user come in your implementation can just call =
ACLSecurityImpl=20
(or another implementation) to do the checking, which should add very =
little overhead to the existing system.
-James
Ritu Kedia wrote:
BTW how does JAAS decide what client currently accesses the webdav
server?
JAAS can't detect that. In my case below I would have distinguished
between
the 2 modes by the namespace (if that solution was possible).
Regards, Ritu
-----Original Message----- From: Stefan L=FCtzkendorf [mailto:[EMAIL PROTECTED] Sent: Thursday, August 26, 2004 2:50 PM To: Slide Users Mailing List Subject: Re: A question on security configuration
I recently thought about a "scoped SecurityImpl" because we want to=20 have different security checking mechanics on different scopes. On=20 one scope we want to use Slides ACL Security and on an other we want =
to use the Security checking of our own system.
We could of course have a SecurityImpl that permits all actions.
But I'm not sure that meets your problem, because your need to use=20 different scopes.
BTW how does JAAS decide what client currently accesses the webdav
=20 server? =20
Regards, Stefan
Ritu Kedia wrote:
I am using Slide in 2 modes:
1. From within my Application, in which case my application acts as =
the entry point for a client. 2. From a third party client, in =
which=20
case Slide is the entry point for
the
client.
Slide is accessed from within my application using the Slide WebDAV
=20 client =20
lib. Whereas it is accessed from the third party client via WebDAV=20 (e.g. WebFolders in MS). In both these cases, the authentication is =
done using JAAS. And authorization depends on the mode of access.=20 When accessed from within
=20 my =20
application, the authorization will be done by my application but=20 when accessed directly from a 3rd party client, the authorization=20 should be
done
by Slide's security support. In other words, my requirement is to=20 turn
=20 off =20
Slide's security in one mode and turn it on in the other mode. Both
=20 modes =20
would be active simultaneously. Could someone please provide me any =
hints/help with designing a solution for the above requirement?
One thought is to have 2 different namespaces, one for each of the=20 above mode. Both these namespaces would access the same store but=20 would have different security configurations. Is this achievable? I =
think this
depends
on whether slide.properties is applicable per namespace or per=20 domain.
=20 If =20
anyone has implemented such a solution, then please do let me know.
Regards, Ritu
=20 =20 =20 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] =20 =20 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] =20 =20 =20 =20 =20 =20 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] =20 =20 =20 =20 =20 =20 =
----------------------------------------------------------------------
-- =20 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
