15 Mar
2013
15 Mar
'13
8:42 a.m.
+1 for the idea in general. I'm sure there'll be details to iron out (as pointed
out by Jerome and Ludovic). Maybe a first step (if you haven't already done so) would
be to enable it on your machine (or somewhere else) and build the full codebase to see if
all tests pass. I know quite a few functional that I know will fail and will need to be
updated but they're easy to fix.
As part of this move I'd like that the old auth code be moved to legacy modules too.
But for that to happen we need that friendly xwiki-oriented interface. Without that we
won't be able to update our code to use the new module.
Do you plan to move the security module to commons too?
Thanks
-Vincent
On Mar 14, 2013, at 9:20 PM, Denis Gervalle <dgl(a)softec.lu> wrote:
Hi devs,
We have a new (component based) authorization module since a while now, and
I think 5.0 is the perfect time to introduce it as the default right
service. First, I simply propose to change the default in xwiki.cfg:
xwiki.authentication.rightsclass=org.xwiki.security.authorization.internal.XWikiCachingRightService
(Later, I propose that we deprecate that bridge and that we create a
friendly (xwiki oriented) interface over the more generic
org.xwiki.security.authorization.AuthorizationManager. But leave this for a
later proposal.)
So this vote is about changing the default in xwiki.cfg before 5.0M2.
pros:
- improved performance, since the new service is using caching techniques
and a single page load required lots of calls to it.
- ability for extension to add new rights
- define right declaratively
- separate method for checking and verifying right (throws opposed to
boolean return)
- fix some long waiting bugs like XWIKI-5174, XWIKI-6987, as well as some
unstated ones
- possibility to easily solve issues like XWIKI-4491
- no more admin right per default
- being in good position to improve it and release dependencies to oldcore
for security matters.
- possibility for third party to adapt the right settler to their special
needs (right decision is plugable)
- a consistant right evaluation with very few exception that could be
explained and documented
cons:
- no more admin right per default, but since we have DW, the initial setup
is no more a problem, and advanced users may use superadmin.
- groups are only checked from the user wiki, not from the accessed entity
wiki.
- may exhibit some other minor differences compare to existing
implementation (but mostly consistency fixes)
- test could be improved, critical part (right, settler, data structure,
cache) are covered at almost 100%, api at 60%, this is probably better than
the old right service
- documentation should be improved, but this is not worse than the old one
anyway
Since I use the new module in all my production servers for several months
with success, and I really think that if we do not do it now we will never
go ahead, here is my big +1
WDYT ?
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs