On 30 Aug 2004 at 14:48, Ritu Kedia wrote: > Hi Andreas, > > My application does use Slide's WebDAV Client Lib for communicating with > Slide. So yes, both the direct access(via Word) and the access from my > application are via WebDAV. I want to disable slide security checks in the > direct access mode....I would most likely use James' cluster refresh > solution along with custom security implementation...
So everybody is allowed to access as long as he or she goes via a WebDAV client? Is this really what you want? > > With reference to what you pointed below regarding performance issues with > DeltaV turned on: Have you already faced a problem with that? If yes, then > what is the nature of the performance problem? Is it just due to security > checks or does it exist even with security turned off (i.e. for puts, > checkin-checkout, etc)? I did not face the problem with the history folder, but I did experience it with normal folders. Putting the tenth thousand document into a single collection needs about 30 seconds. So having a collection in /history for each document would cause performance issues even if you don't have a single huge collection under /files. Therefor the hack is an interesting solution for this. The reason for the performance problem are: 1. adding a child means deleting all existing children from the store and adding the existing plus the new one. 2. loading a collection (Structure.retrieve()) means instantiating all children of this collection on stock, even if they are not needed. I haven't got experience with Security, but I think as long as you don't have very many ACLs the security checks should not slow down the system too much. > > I use DeltaV with both auto-versioning and security turned off. But I > version every file in the system. Do you see any issues with the versioning > once the # of files in the repository has gone above a particular limit? (I > delete the version history when a file is deleted) > > Thanks for your comments. > Regards, > Ritu > > -----Original Message----- > From: Andreas Probst [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 28, 2004 2:53 AM > To: Slide Users Mailing List > Subject: RE: A question on security configuration > > > On 27 Aug 2004 at 13:19, Ritu Kedia wrote: > > > :( ... The distinguishing factor in my requests is neither the user > > credential nor the resource being accessed. The same user should be able > to > > access the Slide Repository either via my WebService or via > > MS-Word/Excel/etc. I.e. The same user could access the same resource in > > either mode. When accessed via WebService, my application is doing the > > authorization. When accessed directly, I would have to override the > default > > slide security implementation with my custom implementation. > > Can't you develop your HTTP application as a WebDAV client > talking to Slide. You would use the login name and the password > of the HTTP user to connect to Slide via WebDAV. So the > information about who did the PUTs etc. wouldn't be lost. You > would not need to implement the Security yourself. WebDAV users > (Word) would talk to Slide directly. > > Actually checking the security stuff is not that expensive, > although this probably depends on the number of ACLs on the > path. You should be more concerned about performance when you > get big directories, i.e. with more than thousand children. If > you use DeltaV the /history folder could become a performance > issue very soon. > > Maybe you've already explained why this is not possible for you, > if so please excuse this remark... > > Regards, > > Andreas > > > > > I think I would have to try the clustering solution only with my custom > > security implementation (since the direct slide access should also follow > > the same security checks as done in my application). But I won't be able > to > > get to it may be for another month. > > A couple of questions regarding custom security implementation... > > 1. Is the security implementation class configurable via Domain.xml? There > > is a security store configuration in Domain.xml but I haven't seen the > entry > > for the security helper class. > > 2. Which methods would have to be implemented if I am interested only in > the > > authorization checks and not the assignments? > > > > Thanks, > > Ritu > > > > -----Original Message----- > > From: James Mason [mailto:[EMAIL PROTECTED] > > Sent: Friday, August 27, 2004 11:44 AM > > To: Slide Users Mailing List > > Subject: Re: A question on security configuration > > > > > > Done a little more thinking about this. I think separate namespaces > > sounds like a good idea, but there may be a problem. Since the Store > > configurations are per-namespace it's likely that the ExtendedStore > > cache will be per namespace as well. If this is the case then you're > > back to a situation where you'll need clustering to keep the caches in > > sync. Unless you really want everything to run in the same webapp you'd > > probably be better off just running a cluster with two nodes. > > > > Stefan's suggestion gave me an idea, though (several actually). What you > > really need is a way to bypass the security checks in SecurityImpl based > > on some aspect of the request. I went through several ideas involving > > extending WebdavServelt or Domain to provide different > > NamespaceAccessTokens with different Security implementations based on > > where the request came from. This should be viable, but as I was writing > > this I realized that simply providing your own Security implementation > > that always returned true for a specific user should be enough. You'll > > still need to authenticate to the app server as that user, but since the > > Security implementation doesn't actually do any checking it should speed > > things up. For requests that aren't from the special user come in your > > implementation can just call ACLSecurityImpl (or another implementation) > > to do the checking, which should add very little overhead to the > > existing system. > > > > -James > > > > Ritu Kedia wrote: > > >>>BTW how does JAAS decide what client currently accesses the webdav > > server? > > > > > > > > > JAAS can't detect that. In my case below I would have distinguished > > between > > > the 2 modes by the namespace (if that solution was possible). > > > > > > Regards, > > > Ritu > > > > > > -----Original Message----- > > > From: Stefan Lützkendorf [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, August 26, 2004 2:50 PM > > > To: Slide Users Mailing List > > > Subject: Re: A question on security configuration > > > > > > > > > > > > I recently thought about a "scoped SecurityImpl" because we want > > > to have different security checking mechanics on different scopes. > > > On one scope we want to use Slides ACL Security and on an other > > > we want to use the Security checking of our own system. > > > > > > We could of course have a SecurityImpl that permits all actions. > > > > > > But I'm not sure that meets your problem, because your need to use > > > different scopes. > > > > > > BTW how does JAAS decide what client currently accesses the webdav > server? > > > > > > Regards, Stefan > > > > > > Ritu Kedia wrote: > > > > > >>I am using Slide in 2 modes: > > >>1. From within my Application, in which case my application acts as the > > >>entry point for a client. > > >>2. From a third party client, in which case Slide is the entry point for > > > > > > the > > > > > >>client. > > >> > > >>Slide is accessed from within my application using the Slide WebDAV > client > > >>lib. Whereas it is accessed from the third party client via WebDAV (e.g. > > >>WebFolders in MS). > > >>In both these cases, the authentication is done using JAAS. And > > >>authorization depends on the mode of access. When accessed from within > my > > >>application, the authorization will be done by my application but when > > >>accessed directly from a 3rd party client, the authorization should be > > > > > > done > > > > > >>by Slide's security support. In other words, my requirement is to turn > off > > >>Slide's security in one mode and turn it on in the other mode. Both > modes > > >>would be active simultaneously. Could someone please provide me any > > >>hints/help with designing a solution for the above requirement? > > >> > > >>One thought is to have 2 different namespaces, one for each of the above > > >>mode. Both these namespaces would access the same store but would have > > >>different security configurations. Is this achievable? I think this > > > > > > depends > > > > > >>on whether slide.properties is applicable per namespace or per domain. > If > > >>anyone has implemented such a solution, then please do let me know. > > >> > > >> > > >>Regards, > > >>Ritu > > >> > > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
